cbcvebase.

Opensourcepos vulnerabilities

7 known vulnerabilities affecting opensourcepos/opensourcepos.

Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2026-32888P3HIGHCVSS 8.8≤ 3.4.12026-03-20
CVE-2026-32888 [HIGH] CWE-89 CVE-2026-32888: Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause wit
nvd
CVE-2025-68434P3HIGHCVSS 8.8v>= 3.4.0, < 3.4.22025-12-17
CVE-2025-68434 [HIGH] CWE-352 CVE-2025-68434: Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP us Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery (CSRF) vulnerability exists in the application's filter configuration. The CSRF protection mechanism was **explicitly disabled**, allowing the
nvd
CVE-2026-33730P3MEDIUMCVSS 6.5fixed in 3.4.22026-03-27
CVE-2026-33730 [MEDIUM] CWE-639 CVE-2026-33730: Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP us Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulati
nvd
CVE-2025-68147P3HIGHCVSS 8.1v>= 3.4.0, < 3.4.22025-12-17
CVE-2025-68147 [HIGH] CWE-79 CVE-2025-68147: Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP us Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Stored Cross-Site Scripting (XSS) vulnerability exists in the "Return Policy" configuration field. The application does not properly sanitize user input before saving it t
nvd
CVE-2026-39380P4MEDIUMCVSS 5.4fixed in 3.4.32026-04-07
CVE-2026-39380 [MEDIUM] CWE-79 CVE-2026-39380: Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied through the stock_location parameter, allowing attackers to
nvd
CVE-2026-32712P4MEDIUMCVSS 5.4fixed in 3.4.32026-04-07
CVE-2026-32712 [MEDIUM] CWE-79 CVE-2026-32712: Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be
nvd
CVE-2025-68658P4MEDIUMCVSS 4.8fixed in 3.4.22026-01-13
CVE-2025-68658 [MEDIUM] CWE-79 CVE-2025-68658: Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP us Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the permission “Configuration: Change OSPOS's Configuration” can inject a malici
nvd
Opensourcepos vulnerabilities | cvebase